I have a file called plain.txt. Inside the file I have:
Hello Hello Hello Hello
I am using this command to encrypt it:
openssl enc -aes-128-cbc -salt -k "Hello" -in plain.txt -out encrypted.bin
Then I print the encrypted value like this:
buff = open("encrypted.bin")
cipher = buff.read()
buff.close()
print b64encode(cipher)
But it is always different value. Shouldn't the cipher be always the same? I am using the same file and the same password to encrypt it. These are my terminal outputs:
Richard-Knops-MacBook-Pro:python_test richardknop$ openssl enc -aes-128-cbc -salt -k "Hello" -in plain.txt -out encrypted.bin
Richard-Knops-MacBook-Pro:python_test richardknop$ python test.py U2FsdGVkX1+AmoQiIkYAxIYanLr/kbjMfEJPPLfeE/wtyxScvAKzb7K38ZxoI097
Richard-Knops-MacBook-Pro:python_test richardknop$ openssl enc -aes-128-cbc -salt -k "Hello" -in plain.txt -out encrypted.bin
Richard-Knops-MacBook-Pro:python_test richardknop$ python test.py U2FsdGVkX19vPD+OoiK7iSgYJiPMxuKGNWWrLlfBS0c3yCJkuv7QIBGEo2Q86UsV
Richard-Knops-MacBook-Pro:python_test richardknop$ openssl enc -aes-128-cbc -salt -k "Hello" -in plain.txt -out encrypted.bin
Richard-Knops-MacBook-Pro:python_test richardknop$ python test.py U2FsdGVkX1+3I8EC7u3lrcVPyD/JV12NAecWvTPXGga0Nh2cwqLAtGCDhLK6MI9g
Richard-Knops-MacBook-Pro:python_test richardknop$
Because the "salt" varies each time. This prevents, for example, rainbow table type attacks on the encrypted values. See http://en.wikipedia.org/wiki/Salt_(cryptography)
The reason you are getting different encrypted string is " enc -aes-128-cbc". CBC stands for Cipher Block Chaining. So, for 2nd block, the encrypted output of first block acts ac IV, so each time you get different string. for more details google "AES in CBC mode"
You get different outputs on each run because new salt is generated each time you run the command. In order to provide the same salt for each consecutive run use -S salt option, i.e.
openssl enc -aes-128-cbc -salt -S "Salt" -k "Hello" -in plain.txt -out encrypted.bin
The reason is that the actual key which is used for encryption is driven from your passphrase and the SALT. Then definitely the ciphertext will be different even if you still use the same password because the SALT is different.
Openssl uses salt by default to mitigate dictionary attacks. If you don't want to use it then use same salt as suggested by other answers, or add nosalt option as follow:
openssl enc -aes-128-cbc -nosalt -k "Hello" -in plain.txt -out encrypted.bin
You can see the ciphertext in hex using xxd
xxd encrypted.bin
来源:https://stackoverflow.com/questions/11818684/why-is-aes-encrypted-cipher-of-the-same-string-with-the-same-key-always-differen